A security consultant I used to interview a lot told me a dumb-user story about a dotcom-startup client of his that took the long way around to identify the problem with a downed server.

Sysadmins spent at least an hour, he said, trying to unfreeze or reboot the server remotely before someone finally went into the back room to check that it was plugged in and realized someone had broken in through the outside door that opened in the server room, and walked off with the server.

The only thing you can do is scan the things as they come in. It's expensive (maybe not more expensive than not doing it, depending on how bad the malware) and difficult to set up and comes with more overhead than you'd like to run checks on everything that plugs into a computer inside the firewall.

It's also the only way to keep malware at bay that's been hand-carried though your firewall by employees you probably shouldn't trust. Users don't bring malware in on purpose, but IT has to behave as if they did. No matter how good your security systems, you still have to lock the door and make sure no one's walked off with the server.